Steps to configure a vendor issued SSL certificate on EEM (igateway and dxserver)
search cancel

Steps to configure a vendor issued SSL certificate on EEM (igateway and dxserver)

book

Article ID: 406444

calendar_today

Updated On:

Products

Autosys Workload Automation

Issue/Introduction

This document offers steps for a vendor or custom SSL certificate for EEM (iGateway) and CA Directory (dxserver).

Resolution

On the EEM Server:

#1 Stop iGateway:
/etc/init.d/igatewayd stop

 

#2 Stop dxserver
su - dsa
dxserver stop all
ps -fe|grep dxserver
exit

 

#3 Backup first, as ROOT
cp -rp /opt/CA/SharedComponents/CADirectory  /opt/CA/SharedComponents/CADirectory_backup
cp -rp /opt/CA/SharedComponents/iTechnology  /opt/CA/SharedComponents/iTechnology_backup
cp -rp /opt/CA/SharedComponents/EmbeddedEntitlementsManager /opt/CA/SharedComponents/EmbeddedEntitlementsManager_backup

 

#4 Set up environment as ROOT using EEM JRE:

JAVA_HOME=/opt/CA/SharedComponents/EmbeddedEntitlementsManager/jre; export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH; export PATH


#5 Change directory to iTechnology
cd /opt/CA/SharedComponents/iTechnology



#6 List out what currently exists in the keystore.  Follow step 7 only if you have anything in this list output
keytool -keystore .keystore.pkcs12 -storepass changeit -list -v  -storetype pkcs12

Keystore type: pkcs12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat
Creation date: Jul 14, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=$COMPUTER_HOST_FQDN$, OU=WCC, O=CA
Issuer: CN=$COMPUTER_HOST_FQDN$, OU=WCC, O=CA
Serial number: 5b0d8902
Valid from: Tue Jul 14 16:45:56 EDT 2020 until: Sun Jul 14 16:45:56 EDT 2030
Certificate fingerprints:
    MD5:  <###MD5 checksum>
    SHA1: < ### SHA1 Checksum ## >
    SHA256: < ## SHA256 checksum ## >
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 1024-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: XX XX XX XX XX XX XX  >....x..>.D..ag.
0010: 90 D3 E2 4A                                        ...J
]


#7 delete reference to existing private key
keytool -delete -alias tomcat -keystore .keystore.pkcs12 -storepass changeit -storetype pkcs12


#8 Ensure the alias got deleted by listing out: 
keytool -keystore .keystore.pkcs12 -storepass changeit -list -v -storetype pkcs12

Keystore type: jks
  Keystore provider: SUN
  Your keystore contains 0 entries

 

#9 generate a new private key / Self signed cert: 

#6a) make sure the dname and Subject Alternate Name, both have a value.
keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore.pkcs12 -storepass changeit -keypass changeit -keysize 2048 -dname cn=My-EEM-Server.example.com -ext san=DNS:My-EEM-Server1.example.com,DNS:My-EEM-Server2.example.com -validity 365 -storetype pkcs12

#6c) The above command does not return anything to the console unless there is an error of some sort



#7 list out what exists in the keystore now, look for Alias Name and Entry type (should be a PrivateKeyEntry)
keytool -keystore .keystore.pkcs12 -storepass changeit -list -v -storetype pkcs12

Keystore type: pkcs12
  Keystore provider: SUN

  Your keystore contains 1 entry

  Alias name: tomcat
  Creation date: Apr 12, 2022
  Entry type: PrivateKeyEntry
  Certificate chain length: 1
  Certificate[1]:
  Owner: CN=My-EEM-server1.example.com
  Issuer: CN=My-EEM-server1.example.com
  Serial number: 439ecd7
  Valid from: Tue Apr 12 12:25:46 EDT 2022 until: Wed Apr 12 12:25:46 EDT 2023
  Certificate fingerprints:
     MD5:  <###MD5 checksum>
     SHA1: < ### SHA1 Checksum ## >
     SHA256: < ## SHA256 checksum ## >
  Signature algorithm name: SHA256withRSA
  Subject Public Key Algorithm: 2048-bit RSA key
  Version: 3

  Extensions:

  #1: ObjectId: 2.5.29.17 Criticality=false
  SubjectAlternativeName [
    DNSName: My-EEM-Server1.example.com
  ]

  #2: ObjectId: 2.5.29.14 Criticality=false
  SubjectKeyIdentifier [
  KeyIdentifier [
  0000: XX XX XX XX XX XX   .....i?..Ab.,Xh.
  0010: 94 A5 8B 64                                        ...d
  ]
  ]

 

#8 Create a Certificate Request (CSR) based off the above private key

#8a) If there are couple of servers under a load balancer, it is preferred to have all the server names and the real URL name to be used too. Take an example where EEM is accessed via eem.example.com as the URL, but there are 2 underlying servers, eem-server1 and eem-server2, so, the request should have -ext san=dns:eem.example.com,dns:eem-server1.example.com,dns:eem-server2.example.com )

keytool -certreq -alias tomcat -keyalg RSA -keystore .keystore.pkcs12 -storepass changeit -file eem-cert.csr -ext "SAN=DNS:My-EEM-Server1.example.com,DNS:My-EEM-Server2.example.com -storetype pkcs12

# NOTE: 
1) The above command creates a file eem-cert.csr file in the same folder where we are running all the above commands
2) CSR validation can also be done, copy the contents of eem-cert.csr to a website like: https://www.sslshopper.com/csr-decoder.html   
It should show correct Common Name and SAN names used in the above command.
If they are not correct, then the Cert Request or CSR request was made incorrectly. Repeat ALL the steps from step1 again.

 

#9 The result of the above, eem-cert.csr needs to be provided to Cert Authority. 

#10  Certificate Authority provides a response to the above,  usually in the form of a zip file / .p7b file / or individual files (containing the server certificate and root / intermediate certificates)

# NOTE: Order of the certificates preferred for import is, Root  (root.crt) first,  Intermediate (inter.crt) next,  real server certificate  (My-EEM-Server.example.com.crt) at the end.   These files have to be uploaded to /opt/CA/SharedComponents/iTechnology  folder 


#11 As we generated CSR using .keystore and alias tomcat with in that, the Reply that Cert Authority sent is only valid for usage in that keystore + alias=tomcat. So, backup of the keystore 

# change directory
cd /opt/CA/SharedComponents/iTechnology
cp -p .keystore.pkcs12 .keystore_before_cert_import.pkcs12

 

 

#12 Import Root first
keytool -importcert -alias RootCA -file root.crt -keystore .keystore.pkcs12 -storepass changeit -storetype pkcs12

  Owner: CN=My-EEM-Server-cert, DC=example, DC=com
  Issuer: CN=My-EEM-Server-cert, DC=example, DC=com
  Serial number: 12345XXXXXXXXXXXXXXXXXXXXXX
  Valid from: Fri Mar 06 10:58:36 EST 2020 until: Thu Mar 06 11:08:36 EST 2025
  Certificate fingerprints:
     MD5:  <###MD5 checksum>
     SHA1: < ### SHA1 Checksum ## >
     SHA256: < ## SHA256 checksum ## >
  Signature algorithm name: SHA1withRSA
  Subject Public Key Algorithm: 2048-bit RSA key
  Version: 3

  Extensions:

  #1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
  0000: 02 01 00                                           ...


  #2: ObjectId: 2.5.29.19 Criticality=true
  BasicConstraints:[
    CA:true
    PathLen:2147483647
  ]

  #3: ObjectId: 2.5.29.15 Criticality=false
  KeyUsage [
    DigitalSignature
    Key_CertSign
    Crl_Sign
  ]

  #4: ObjectId: 2.5.29.14 Criticality=false
  SubjectKeyIdentifier [
  KeyIdentifier [
  0000: XX XX XX XX XX   ..*.....\.2.....
  0010: 05 C7 40 94                                        ..@.
  ]
  ]

  Trust this certificate? [no]:  yes
  Certificate was added to keystore

 

#13 Import intermediate Cert, the output maybe slightly different from below command, unless there is an error
keytool -importcert -alias intermediateCA -file inter.crt -keystore .keystore.pkcs12 -storepass changeit -storetype pkcs12

#13a) If there are more certificates, example, additional Issuing certificate etc.,  import them too, we need the full chain and cannot miss any 

 


#14 Finally, import the server certificate, the response should match what you see highlighted far below
keytool -importcert -trustcacerts -file MyWcc-Server.example.com.crt -alias tomcat -keystore .keystore.pkcs12 -storepass changeit -storetype pkcs12

 Certificate reply was installed in keystore

#14a) NOTE:  the above line is a response to the keytool command, indicating that the reply from Certificate Authority was installed properly
#14b) If there are any other messages, that could potentially mean that the import was not correct

 


#15 list again, tomcat alias should still a PrivateKeyEntry and contains additional certificates because of the import above
keytool -keystore .keystore.pkcs12 -storepass changeit -list -v -storetype pkcs12

Keystore type: pkcs12
Keystore provider: SUN

 Your keystore contains 2 entries

 Alias name: rootca
 Creation date: Apr 12, 2022
 Entry type: trustedCertEntry

 Owner: CN=MyCustomROOT-cert, DC=example, DC=com
 Issuer: CN=MyCustomROOT-cert, DC=example, DC=com
 Serial number: 12345XXXXXXXXXXXXXXXXXXXXXX
 Valid from: Fri Mar 06 10:58:36 EST 2020 until: Thu Mar 06 11:08:36 EST 2025
 Certificate fingerprints:
    MD5:  <###MD5 checksum>
    SHA1: < ### SHA1 Checksum ## >
    SHA256: < ## SHA256 checksum ## >
 Signature algorithm name: SHA1withRSA
 Subject Public Key Algorithm: 2048-bit RSA key
 Version: 3

 Extensions:

 #1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
 0000: 02 01 00                                           ...

 #2: ObjectId: 2.5.29.19 Criticality=true
 BasicConstraints:[
   CA:true
   PathLen:2147483647
 ]

 #3: ObjectId: 2.5.29.15 Criticality=false
 KeyUsage [
   DigitalSignature
   Key_CertSign
   Crl_Sign
 ]

 #4: ObjectId: 2.5.29.14 Criticality=false
 SubjectKeyIdentifier [
 KeyIdentifier [
 0000: XX XX XX XX XX XX   ..*.....\.2.....
 0010: 05 C7 40 94                                        ..@.
 ]
 ]

 Alias name: tomcat
 Creation date: Apr 12, 2022
 Entry type: PrivateKeyEntry
 Certificate chain length: 2
 Certificate[1]:
 Owner: cn=My-EEM-Server1.example.com
 Issuer: CN=MyCustomROOT-cert, DC=example, DC=com
 Serial number: 12345XXXXXXXXXXXXXXXXXXXXXX
 Valid from: Tue Apr 12 12:23:14 EDT 2022 until: Thu Apr 11 12:23:14 EDT 2024
 Certificate fingerprints:
    MD5:  <###MD5 checksum>
    SHA1: < ### SHA1 Checksum ## >
    SHA256: < ## SHA256 checksum ## >
 Signature algorithm name: SHA1withRSA
 Subject Public Key Algorithm: 2048-bit RSA key
 Version: 3

 Extensions:

 #1: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
 0000: 30 0C 30 0A 06 08 2B 06   01 05 05 07 03 01        0.0...+.......

 #2: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
 0000: XXXXXXXXXXXXXXXXXXXXXX -.%+.....7.....
 0010: XXXXXXXXXXXXXXXX   ...s...<.......(
 0020: 6D 83 95 C1 1C 87 ED CA   4D 02 01 64 02 01 06     m.......M..d...

 #3: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
 AuthorityInfoAccess [
   [
    accessMethod: caIssuers
    accessLocation: URIName: ldap:///CN=CN=MyCustomROOT-cert, DC=example, DC=com,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=CN=MyCustomROOT-cert, DC=example, DC=com?cACertificate?base?objectClass=certificationAuthority
 ]
 ]

 #4: ObjectId: 2.5.29.35 Criticality=false
 AuthorityKeyIdentifier [
 KeyIdentifier [
 0000: XX XXXXXXXXXXXXX  ..*.....\.2.....
 0010: 05 C7 40 94                                        ..@.
 ]
 ]

 #5: ObjectId: 2.5.29.31 Criticality=false
 CRLDistributionPoints [
   [DistributionPoint:
   [ URIName: ldap:///CN=CN=MyCustomROOT-cert, DC=Example, DC=com,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=CN=MyCustomROOT-cert, DC=Example, DC=com?cACertificate?base?objectClass=certificationAuthority]
 ]]

 #6: ObjectId: 2.5.29.37 Criticality=false
 ExtendedKeyUsages [
   serverAuth
 ]

 #7: ObjectId: 2.5.29.15 Criticality=true
 KeyUsage [
   DigitalSignature
   Key_Encipherment
 ]

 #8: ObjectId: 2.5.29.17 Criticality=false
 SubjectAlternativeName [
   DNSName: My-EEM-Server1.example.com
 ]

 #9: ObjectId: 2.5.29.14 Criticality=false
 SubjectKeyIdentifier [
 KeyIdentifier [
 0000: XXXXx XXXXXXXXXXXXX XX  .....i?..Ab.,Xh.
 0010: 94 A5 8B 64                                        ...d
 ]
 ]

 Certificate[2]:
 Owner: CN=MyCustomROOT-cert, DC=example, DC=com
 Issuer: CN=MyCustomROOT-cert, DC=example, DC=com
 Serial number: 12345XXXXXXXXXXXXXXXXXXXXXX
 Valid from: Fri Mar 06 10:58:36 EST 2020 until: Thu Mar 06 11:08:36 EST 2025
 Certificate fingerprints:
    MD5:  <###MD5 checksum>
    SHA1: < ### SHA1 Checksum ## >
    SHA256: < ## SHA256 checksum ## >
 Signature algorithm name: SHA1withRSA
 Subject Public Key Algorithm: 2048-bit RSA key
 Version: 3

 Extensions:

 #1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
 0000: 02 01 00                                           ...


 #2: ObjectId: 2.5.29.19 Criticality=true
 BasicConstraints:[
   CA:true
   PathLen:2147483647
 ]

 #3: ObjectId: 2.5.29.15 Criticality=false
 KeyUsage [
   DigitalSignature
   Key_CertSign
   Crl_Sign
 ]

 #4: ObjectId: 2.5.29.14 Criticality=false
 SubjectKeyIdentifier [
 KeyIdentifier [
 0000:  XX XXXXXXXXXXX XX  ..*.....\.2.....
 0010: 05 C7 40 94                                        ..@.
 ]
 ]

 

#15a NOTE: The imported server certificate somehow does not associate properly to the tomcat alias, as PrivateKeyEntry, the certificate cannot be used by Tomcat. 
Errors seen would be something like  "Alias name tomcat does not identify a key entry"  or "No private key"

 

 

#16 extract the private key,  as changeit is the password for the keystore through out in the above commands, provide changeit as the password for the next 3 commands (including the passphrases for the keys)
openssl pkcs12 -in .keystore.pkcs12 -nocerts -out encrypted-private.key 
## on newer kernels add -legacy flag to the above command like
## openssl pkcs12 -in .keystore.pkcs12 -nocerts -out encrypted-private.key -legacy

ls -al encrypted-private.key
cat encrypted-private.key

openssl pkcs12 -in .keystore.pkcs12 -clcerts -nokeys -out server-cert.pem
##on newer kernels add -legacy flag to the above command    openssl pkcs12 -in .keystore.pkcs12 -clcerts -nokeys -out server-cert.pem -legacy

ls -al server-cert.pem
cat server-cert.pem

openssl rsa -in encrypted-private.key -out custom-itechpoz.key
ls -al custom-itechpoz.key
cat custom-itechpoz.key


#17 It is OK to see the warning about not being able to copy folders,  folders are not needed
(also make sure to have the intermediate and rootca cert files if they are required in this environment)
cp -p /opt/CA/SharedComponents/iTechnology/server-cert.pem /opt/CA/SharedComponents/CADirectory/dxserver
cp -p /opt/CA/SharedComponents/iTechnology/custom-itechpoz.key /opt/CA/SharedComponents/CADirectory/dxserver
chown dsa /opt/CA/SharedComponents/CADirectory/dxserver/*

#26a) NO need to recursively chown in dxserver,  just the few files that were copied from the above step. 
That's why -r is not present.   dxserver/bin/dxadmind  and dxserver/bin/dxserver have a sticky bit and have to be owned by root.
Or else CA Directory won't start. DO NOT change this.

 

#18 change to dsa user
su - dsa
cd $DXHOME
pwd
/opt/CA/SharedComponents/CADirectory/dxserver

 

#19 start the steps now
cd /opt/CA/SharedComponents/CADirectory/dxserver/config/ssld

 

#20 list all certs
dxcertgen listca

# remove the default rootca
# in my case the certnumber was 0
# dxcertgen -r 0 removeca
# dxcertgen -r 1 removeca
# dxcertgen -r 2 removeca

 # list all 
 dxcertgen report

#21 Copy the itechpoz.key to the ssld folder first
cp -p /opt/CA/SharedComponents/CADirectory/dxserver/custom-itechpoz.key /opt/CA/SharedComponents/CADirectory/dxserver/config/ssld/itechpoz.key

 
#22 Import the server cert now
dxcertgen -D itechpoz -n /opt/CA/SharedComponents/CADirectory/dxserver/server-cert.pem certmerge

Example output from a successful run looks like:

! Loading certificate key from /opt/CA/SharedComponents/CADirectory/dxserver/server-cert.pem ...
! Loading private key from /opt/CA/SharedComponents/CADirectory/dxserver/config/ssld/itechpoz.key ...
! Private key matches supplied certificate
! Creating Personality ...

Done.


#23 Import root now
dxcertgen -n /opt/CA/SharedComponents/CADirectory/dxserver/root.crt importca


Example output from successful run of the above command:

! Loading certificate from /opt/CA/SharedComponents/CADirectory/dxserver/root.crt ...
! Writing certificate to trusted.pem /opt/CA/SharedComponents/CADirectory/dxserver/config/ssld/ ...
Writing root certificate to trusted.pem...

Done.

 

#24) import intermediate
dxcertgen -n /opt/CA/SharedComponents/CADirectory/dxserver/inter.crt importca

Example output from successful run of the above command:

! Loading certificate from /opt/CA/SharedComponents/CADirectory/dxserver/inter.crt ...
! Writing certificate to trusted.pem /opt/CA/SharedComponents/CADirectory/dxserver/config/ssld/ ...
Writing root certificate to trusted.pem...

Done.

#33a) If there are more certificates, for example, Issuing certificates etc.,  import them too. Full chain is needed and cannot miss any 

#33b) Import root cert and issuing cert into itechpoz-trusted.pem file
cat /opt/CA/SharedComponents/CADirectory/dxserver/root.crt >>  /opt/CA/SharedComponents/CADirectory/dxserver/config/ssld/itechpoz-trusted.pem
cat /opt/CA/SharedComponents/CADirectory/dxserver/inter.crt >>  /opt/CA/SharedComponents/CADirectory/dxserver/config/ssld/itechpoz-trusted.pem

#25c) If you have more than 1 Directory nodes, you need to import each other's certificates. So, server1's certificate should be imported to server2. server2's certificate should be imported to server1

On: <server1>.<example>.<com>   
dxcertgen -n /opt/CA/SharedComponents/CADirectory/dxserver/<server2_pem_file.pem> importca  

On: <server2>.<example>.<com>   
dxcertgen -n /opt/CA/SharedComponents/CADirectory/dxserver/<server1_pem_file.pem> importca  

 

#26 Start Directory
dxserver start all

 

#27 test using openssl verify the correct certificate is in place now
openssl s_client -connect servername:509

 

#28 as root user now,  copy the keystore.PKCS12  as keystore.p12 into iTechnology folder. Steps being followed are here
#as root
cd /opt/CA/SharedComponents/iTechnology
cp -p igateway.conf igateway.conf.bkp
vi igateway.conf

<Connector name="defaultport">
<port>5250</port>
<mustlisten>true</mustlisten>
<conntype/>
<conntimeout>120</conntimeout>
<peektimeout>30</peektimeout>
<maxconnections>1000</maxconnections>
<maxrequestbytes>10000000</maxrequestbytes>
<maxpiperequests>10</maxpiperequests>
<maxAcceptRate/>
<certType/>
<certURI/>
<certPW/>
<keyURI/>
<keyPW/>
<secureProtocol/>
<cipherlist/>
</Connector>

 

#29 Set certType to pem by adding or updating below to the <Connector name="defaultport"> section
<certType>pem</certType>

 

#30 Set certURI to the certificate filename, by adding or updating below to the <Connector name="defaultport"> section
<certURI>server-cert.pem</certURI>

 

#31 Set keyURI to the key filename, by adding or updating below to the <Connector name="defaultport"> section
<keyURI>custom-techpoz.key</keyURI>

 

#32 Save the file and Restart iGateway 
/etc/init.d/igatewayd start

 #32a) check the EEM URL now and verify the certificate is correct

### Repeat the above on EEM node 2
### Remove and Re-establish EEM HA

 

Additional Information

For Windows platform, the steps are the same.  However openssl module is not available by default.  You would have to work with your System administrator to get an openssl module for Windows downloaded and installed.

Powered by Wolken Software